Avoid Fraudulent Email Messages
Alert: Internship Phishing Attempt
CSUN has recently seen phishing emails that pose as faculty members advertising internships. The phisher will eventually ask for money. Internships are not for sale and you do not have to pay money for an internship. If you get one of these emails, forward it to abuse@csun.edu.
Examples of this type of phishing and many other examples of phishing are on our web site. The web site can found as part of CSUN’s Information Security web presence.
Preventing Phishing Attempts
- Social Media is the main way a phisher obtains information about you and tailors their e-mails to your interests. Limit the personal information you provide in your posts (school, location, full name, etc.), even if you're on private; not everyone who follows you is trustworthy.
- Use unique passwords: A single password used on all of your sites is a hacker's best friend. A password can be stolen from a website with lax security and then be used to hack into your accounts. Unique passwords limit the damage to one site. Use a password manager to help you remember or generate your unique passwords.
- Think carefully before clicking on a link or image. Phishing and other malware scams rely on our habit to click first, think later.
- Keep programs up-to-date: Most applications on all of your devices have automated update features. Turn them on.
- Turn off Flash or turn on Ad-blocker. Flash Player is popular with hackers. They exploit Flash by inserting malicious bits of code into ad networks used by well-known businesses.
- Watch this Ninjio video about a spear fishing attack - Dallas Siren Hack.
Institutes of higher education continue to be targeted by fraudulent email messages and ransomware attempts. CSUN implemented a solution that checks incoming email from off-campus accounts that contain web links with fraudulent characteristics. If fraudulent characteristics are detected, and a user clicks on one of these links, the user is directed to a page indicating the website has been blocked. CSUN also implemented a solution that detects and prevents incoming phishing attacks from non-CSUN email addresses. This solution blocks approximately 60,000 fraudulent messages every month.
Despite taking preventive measures, phishing email attacks continue to be sent from compromised faculty and staff accounts. The best method to prevent these attacks is to never provide your CSUN user ID and password in response to an email request and to question the source of the email received.
Tips and Resources
It can be very tricky to identify a phishing scam, but here are some common traits:
- Asks for sensitive information (e.g. click here to verify your username and password)
- Asks you to download something (e.g. click here to get the necessary virus update file)
- Contains spelling and/or grammatical errors (e.g., thank you, from trusted administrator)
- Threatens you (e.g. do this or else your account will be deleted)
- Contains suspicious web addresses/URLs (e.g. visit the CSUN page by visiting: http:// www. csunorg31.com/account)
- Contains unexpected/inaccurate content (e.g. you've exceeded your email quota)
- Are generically addressed (e.g. dear CSUN customer)
- Expresses an urgency (e.g. you must click here immediately to avoid having your account terminated)
For more information, visit the CSUN Spam Prevention page.
Phishing emails typically follow a certain structure so here are some tips for you to use when sending your own emails:
- When possible, use the proper salutation, such as 'Dear John' instead of 'Dear Employee'.
- Do use the subject line. Be sure to include a short, descriptive subject for your email. When sending an email that contains essential information regarding free services do not use "free" in the subject line, as it may appear suspicious.
- Use the appropriate capitalization, punctuation and spelling. Emails or subject lines written in all caps, spelled incorrectly or lacking punctuation appear to be suspicious in nature. Avoid capitalized words other than CSUN.
- Refrain from using specialized formatting such as non-standard fonts, sizes or colors.
- Do not embed background graphics, logos or URLs. This embedded content is often used to propagate viruses and additional spam. If you need to point readers to a specific site, spell out the navigation as URLs can be hidden in other URLs. Example: Go to the CSUN homepage > Select Inside CSUN, etc.
- Attachments may appear suspicious. If possible avoid attaching documents; however if it is necessary make sure to add a clear description of the document.
- Refrain from using acronyms.
- Provide a valid way to verify the email.
- Be sure to use your official CSUN email (either .csun.edu or .my.csun.edu).
When reporting a phishing or spam email to abuse@csun.edu, Information Technology will ask you to send the email as an attachment. Sending the email as an attachment allows Information Technology the ability to see full email headers, providing all the information needed to investigate the email. If you need instructions on how to send the email as an attachment, visit the How to Forward an Email as an Attachment page.
If you learn of an active phishing website that is not already warning users, notify the three main browsers that it is deceptive and should be blocked. When a site is reported as deceptive the browser will display a warning before showing the page.
Ransomware is a type of malware that prevents or limits users from accessing their system, either by locking the system's screen or by locking the users' files unless a ransom is paid. More modern ransomware families, collectively categorized as crypto-ransomware, encrypt certain file types on infected systems and forces users to pay the ransom through certain online payment methods to get a decrypt key. Visit the Ransomware page for more information.
Spear phishing is another form of phishing that targets specific people, threat actors target organizations and companies in an attempt to retrieve sensitive information. Threat actors have utilized social engineering as their main tool to get the user to allow them to view sensitive information. For more information, visit Spear Phishing.